- From: J.C. Jones via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Feb 2018 22:15:41 +0000
- To: public-webauthn@w3.org
After consulting with a Mozilla wizard (@zbraniecki), the current definition of these `displayName` fields will prohibit browsers from including them in UI that does not have clear boundaries. E.g., not in notification or permission boxes. E.g., we could include the `displayName`s in a management interface where there are grids/borders/graphical elements, but not run it together into a compressed-space like a prompt. (**Note**: Firefox is not including anything but the origin in any of its prompts in its first release for these reasons.) @zbraniecki suggests that if we want to let browsers use this information for prompts, that we should write / refer to some guidance on how to present the strings, given that the attacker can do three major things with a DOMString: > play with position and directionality (so the string may appear on the far right of the field rather than left, or in the middle), make things invisible within the string or confusing (emojis), or may the string contain characters that look like other characters. My poor synopsis of some sample guidance would be advice to always use UI elements to provide a clear boundary around these strings, and not allow overflow into other elements, etc. -- GitHub Notification of comment by jcjones Please view or discuss this issue at https://github.com/w3c/webauthn/issues/593#issuecomment-369402225 using your GitHub account
Received on Wednesday, 28 February 2018 22:15:44 UTC